In this blog post, we will demonstrate how to add a new host to an existing SSL VPN tunnel on a Cisco ASA appliance. More specifically, we will cover the following topics:
Existing SSL VPN Tunnel
The first thing you will need to do is to verify that the SSL VPN tunnel is in fact already configured on your Cisco ASA appliance. To do this, login to the Cisco ASA interface with the username and password you used during the initial SSL VPN installation process. You will then need to navigate to Taps → SSL VPN → VPN Tunnels. In our example, the existing SSL VPN tunnel is named VPN_demo.
Next, you will need to establish the IP address of the new host you wish to add to the VPN tunnel. In most cases, this will be the IP address of a terminal device (i.e., a laptop or desktop computer).
Once you have the IP address of the new host, you can continue with the next step. You will need to ensure that the IP address of the new host is not already in use by any other devices or systems on your network. If it is, then you will either need to change the IP address of one of these devices or systems or find a different solution. For example, if you use DHCP then you can easily allocate a new IP address to the new host.
NAT (Network Address Translation) is a protocol defined by IETF RFC 3901 that allows a device on a private network to use public network addresses (IPv4/IPv6) when communicating with devices on a different private network. Since VPNs are a type of private network, it is possible that your existing VPN connection could be subject to NAT traversal attacks. In order to prevent these kinds of attacks, you will need to ensure that all of the IP addresses used within your SSL VPN tunnel are properly translated to allow communication with devices outside the firewall. In our example, we will use a tool named iprange for this purpose. To use this tool, you will need to install it on one of your devices (e.g., a computer). Once you have installed it, you can start by running the following command:
$ iprange list Default routes: 192.168.254.0/22 via 2001:470:8d:1f::2, dev eth0 192.168.0.0/16 via fdb6:0000:0000:0000:0000:0000:0000:0001
You can then use the iprange command to create a range of IP addresses that will be able to communicate with the outside world through your VPN. In our example, we will use the following command:
$ iprange add 192.168.0.1-192.168.0.20 /range=VPN_demo
This will create a range of IP addresses from 192.168.0.1 to 192.168.0.20 and will assign them to the VPN_demo tunnel. Next, you will need to assign this new range of IP addresses to one of your interfaces on the Cisco ASA. In our example, we will use the following command:
$ interface VPN_demo ip address 192.168.0.1 ip range 192.168.0.1-192.168.0.20
Cipher Suites are a group of security algorithms typically used within encryption processes. The stronger the encryption algorithm, the more secure the communication between two devices will be. In order to ensure that your existing SSL VPN tunnel is as secure as possible, you will need to make sure that all of the cipher suites are enabled within your SSL VPN configuration. In our example, we will use the default Cisco ASA SSL VPN configuration and enable only the following cipher suites:
AES – CBC- MD5
This is the most preferred cipher suite by security experts because it is considered one of the most secure encryption algorithms available. It is known as a block cipher because each byte or block of data is encrypted independently of one another. This makes it very versatile and customizable. For instance, you can use it to encrypt your entire hard drive or just specific files or folders within it. While CBC-MD5 is considered one of the strongest and most secure cipher suites available, it does come with a major drawback. Because it is a block cipher, it is considered to be extremely slow compared to other algorithms. If your main concern is speed, then you should consider using a different cipher suite. However, if you are more concerned about security, then this is the cipher suite you will want to use.
3DES – CBC- MD5
This is the second preferred cipher suite by security experts because it is considered faster than AES-CBC-MD5. However, like AES-CBC-MD5, it is also considered one of the most secure and versatile cipher suites. Like all cipher suites, it is a block cipher and operates on 32-bit blocks at a time. This makes it much faster than AES-CBC-MD5. In addition, it uses three keys instead of two as does AES-CBC-MD5. Like CBC-MD5, 3DES-CBC also uses the CBC mode of operation. This makes it very compatible with existing infrastructure and applications.
RC4 is a stream cipher. This algorithm is quite insecure and is considered to be obsolete by experts. However, it is still in use because it is extremely easy to use and implements within most standard libraries. It also has a strong comeback if you do run into trouble because it is one of the most popular algorithms used within online communities. Like all stream ciphers, RC4 operates on one key which is shared between all users. This makes it much more vulnerable to hacking than block or stream ciphers. Therefore, if you are using this algorithm, then you should consider increasing the length of the key.
IDEA – CBC- SHA
This is the third preferred cipher suite by security experts because it is a combination of both block and stream functionality. Like all CBC-based algorithms, IDEA uses the CBC mode of operation and the SHA (Secure Hash Algorithm) for hashing. The CBC mode of operation handles encryption with block ciphers while the SHA handles the integrity of the data. Therefore, this algorithm functions similarly to 3DES-CBC-MD5 but with additional benefits of speed and security.
DES – triple DES
This is the fourth preferred cipher suite by security experts because it is a combination of all of the above. Like CBC-SHA, DES can operate in either a block or a stream mode. However, unlike the latter, it can operate in three separate key sizes (64-, 112-, and 168-bit) making it quite customizable. You can also choose to use the smaller keys for speed or larger keys for added security. While it does offer some great benefits, implementing this algorithm is not without its complexities. If you are using this algorithm, then you will need to ensure that all devices within your network are configured to use the same cryptographic keys. In our case, we will be using Triple DES-CBC-SHA.
This is the fifth preferred cipher suite by security experts because it is an improvement on the standard DH scheme. In the standard DH scheme, each device within a network agrees to use a common key pair for encryption. However, in the case of a DSS (Digital Signature Scheme), the two devices exchange public keys before engaging in any encrypted communication. This way, you can be sure that both parties are who they say they are before agreeing to any sensitive information. Implementing DSS is much more complex than implementing DH but it offers many advantages. If you are looking for an additional layer of security, then this is the algorithm you will want to use.
This is the last of the preferred cipher suites by security experts. However, it is also one of the most popular algorithms used for symmetric key algorithms. This is mainly because it is extremely easy to use and can be implemented within most standard libraries. In addition, many operating systems have built-in support for this algorithm. This makes it compatible with existing infrastructure and applications.